From 3ce1ee486ed2bed6778d3976ae0d6bb4dfa9cd7c Mon Sep 17 00:00:00 2001
From: CroneKorkN <i@ckn.li>
Date: Fri, 15 May 2026 15:51:21 +0200
Subject: [PATCH] bundles/left4me: drop l4d2-sandbox user; tighten
 /var/lib/left4me to 0755
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Companion to the uid-collapse refactor on the left4me side
(docs/superpowers/plans/2026-05-15-uid-collapse.md). The script-
sandbox now runs as left4me too, defended by the hardening profile
that landed earlier today rather than a kernel uid boundary.

users + groups dicts: remove the l4d2-sandbox entry (uid/gid 981).
/var/lib/left4me mode: 0711 → 0755. The 0711 was specifically a
traverse-only loosening for the sandbox uid; with one user, the
natural mode is back.
---
 bundles/left4me/README.md |  7 ++++---
 bundles/left4me/items.py  | 22 ++++++++++------------
 2 files changed, 14 insertions(+), 15 deletions(-)

diff --git a/bundles/left4me/README.md b/bundles/left4me/README.md
index 8f73382..7ea4d98 100644
--- a/bundles/left4me/README.md
+++ b/bundles/left4me/README.md
@@ -36,9 +36,10 @@ from defaults. None of these need to be declared per-node.
 
 ## What this bundle does
 
-- Creates system users `left4me` (uid/gid 980, home `/var/lib/left4me`,
-  mode 0711) and `l4d2-sandbox` (uid/gid 981, no home, used by bwrap
-  script-overlay builds).
+- Creates system user `left4me` (uid/gid 980, home `/var/lib/left4me`,
+  mode 0755) — same uid hosts the web app, gameservers, and the
+  script-overlay sandbox unit (which drops privileges via systemd-run
+  with a fully hardened transient service).
 - Drops privileged helpers under `/usr/local/libexec/left4me/`
   (`left4me-systemctl`, `left4me-journalctl`, `left4me-overlay`,
   `left4me-script-sandbox`) plus a tight sudoers file (validated with
diff --git a/bundles/left4me/items.py b/bundles/left4me/items.py
index dcc4177..fdf73ea 100644
--- a/bundles/left4me/items.py
+++ b/bundles/left4me/items.py
@@ -19,11 +19,13 @@ directories = {
         'mode': '0755',
     },
     '/var/lib/left4me': {
-        # left4me's home dir — useradd creates with 0700; loosen to 0711 so
-        # l4d2-sandbox can traverse (but not list) for bwrap bind-mounts.
+        # left4me's home dir — useradd creates with 0700; loosen to 0755 so
+        # the systemd-imposed FS view for transient script-sandbox units
+        # (running as left4me with TemporaryFileSystem=/var/lib + selective
+        # binds) can traverse on its way to the overlay bind targets.
         'owner': 'left4me',
         'group': 'left4me',
-        'mode': '0711',
+        'mode': '0755',
     },
     '/var/lib/left4me/installation':   {'owner': 'left4me', 'group': 'left4me'},
     '/var/lib/left4me/overlays':       {'owner': 'left4me', 'group': 'left4me'},
@@ -40,8 +42,7 @@ directories = {
 }
 
 groups = {
-    'left4me':      {'gid': 980},
-    'l4d2-sandbox': {'gid': 981},
+    'left4me': {'gid': 980},
 }
 
 users = {
@@ -51,15 +52,12 @@ users = {
         'home': '/var/lib/left4me',
         'shell': '/usr/sbin/nologin',
     },
-    'l4d2-sandbox': {
-        'uid': 981,
-        'gid': 981,
-        'shell': '/usr/sbin/nologin',
-    },
 }
-# UIDs/GIDs pinned in the system-package range (100-999, per Debian
+# UID/GID pinned in the system-package range (100-999, per Debian
 # policy) so file ownership is deterministic across rebuilds and
-# backup restores. 980/981 are unused elsewhere in this repo.
+# backup restores. 980 is unused elsewhere in this repo.
+# (981 — formerly l4d2-sandbox — was collapsed into 980 on 2026-05-15;
+# see left4me/docs/superpowers/plans/2026-05-15-uid-collapse.md.)
 
 # Privileged helpers are installed by the `install_left4me_scripts`
 # action (below) directly from the left4me git checkout at